Tenable Supports Merchants' PCI Compliance Programs
All businesses, whether brick-and-mortar or e-commerce businesses that are involved in the transmission, processing, or storage of payment card data are required by the major credit card companies to comply to the requirements set forth in the PCI DSS and demonstrate that compliance on an annual basis.
Tenable offers a variety of solutions that help your business meet certain PCI DSS requirements, monitor your cardholder data environment to maintain a secure and compliant state, assure that critical security processes are followed, and provide evidence of compliance for annual validation assessments.
Whitepaper: VMware Product Applicability Guide for PCI DSS 3.0
Tenable Network Security is the first VMware Technology Alliance Partner to have its products reviewed for applicability to version 3.0 of the Payment Card Industry Data Security Standard (PCI DSS).
Nessus: Meet PCI Requirements
Meet: Use Nessus to meet all PCI DSS internal and external scanning requirements. Nessus tests web applications for secure coding to OWASP specifications and performs web application vulnerability assessments. Prepare for a PCI compliance assessment using Nessus PCI scan reports for easy and automatic analysis of scan results.
Drive: Use Nessus to baseline your in-scope systems for initial PCI compliance activities. Perform configuration and compliance audits to determine whether systems are adhering to build standards, hardening guides, access controls, user account management, and are current with anti-virus/anti-malware and patch protections.
Guard: Nessus identifies sensitive data subject to PCI compliance requirements such as credit or debit primary account numbers. Nessus performs these searches without an agent and only requires valid credentials to scan a remote computer.
Prove: Nessus results can be used during the PCI compliance assessment to demonstrate periodic and ongoing processes were maintained throughout the assessment period as required by numerous PCI DSS requirements.
PVS: Enforce your Cardholder Data Environment
Passive Vulnerability Scanner™ (PVS™) provides continuous scanning of network security supported by pre-configured scanning scripts (“plug-ins”) and the ability to customize plug-ins for an organization's unique scanning requirements. Continuous scanning provides real-time analysis of the state of an organization's security. PVS is available as an individual product subscription or as an integrated component of SecurityCenter CV.
Drive: Use PVS to detected internal data flows where cardholder data is involved. Of particular concern are undocumented processes not included in the scoping of the cardholder data environment for adhering to PCI DSS requirements.
Guard: PVS detects unprotected transmissions of Primary Account Numbers (PANs) outbound from the network or cardholder data environment.
Nessus Enterprise Cloud: Meet ASV Scan Requirements
Tenable's Nessus Enterprise Cloud provides quarterly external network scans to fulfill PCI scanning requirements for all merchants and service providers. Nessus Enterprise Cloud is a PCI-Certified Approved Scanning Vendor (ASV) solution.
Meet: Use Nessus Enterprise Cloud to perform official PCI ASV scans and submit them for quarterly validation and attestation. Nessus Enterprise Cloud may also be used to protect public-facing web applications by providing automated application vulnerability security assessments on a periodic basis or after any changes are made to the web application.
Prove: Tenable’s PCI-certified professionals will review up to 2 PCI ASV scans per calendar quarter and upon approval will provide detailed and executive summary findings reports and the required Attestation of Compliance form.
Two-thirds of all PCI-certified ASV companies use Nessus.
Use Nessus® Enterprise Cloud to provide the power of Nessus® in an award-winning, cloud-based solution for remote, cloud-based vulnerability management. Nessus Enterprise Cloud enables sharing of multiple Nessus scanners, scan schedules, scan policies, and, most importantly, scan results - all from the cloud.
SecurityCenter CV: Maintain Ongoing Compliance
Tenable SecurityCenter Continuous View™ (SecurityCenter CV™) is the only comprehensive vulnerability, threat and compliance management platform that alleviates the arduous and time-consuming process of performing forensic analysis and threat or incident response. SecurityCenter CV secures your IT environment of physical and virtual systems as well as across mobile devices, virtual machines, and cloud services. Tenable's SecurityCenter CV incorporates unlimited Nessus and PVS vulnerability scanners, and the Log Correlation Engine (LCE) in a SecurityCenter platform. Security Center CV offers large merchants continuous monitoring and centralized intelligence for maintaining an ongoing posture of compliance with the PCI standards.
Meet: Use SecurityCenter CV to continuously detect the presence of malware that infiltrated your network and is running malicious programs in your environment. SecurityCenter CV provides secure log normalization, aggregation, and storage, and facilitates a daily review of logs.
Drive: Use SecurityCenter CV to continuously monitor and discover new devices on the network that may impact the security of your cardholder data environment.
Guard: Use SecurityCenter CV to identify PCI-relevant assets and focus vulnerability scans on those assets, reducing time and resources required for periodic scanning. SC CV also enables you to create a single view of risk exposure that includes Internet-facing web application vulnerabilities.
Prove: The SecurityCenter CV platform offers large merchants or service providers continuous monitoring and centralized intelligence for maintaining and demonstrating an ongoing posture over time of adherence to the PCI DSS standards.
Straight Talk about PCI - the PCI Discussion Forum
Tenable hosts a discussion forum devoted to PCI called "Straight Talk about PCI". This forum is a “safe” place where you can ask questions related to any and all aspects of PCI. The Forum is intended to be a resource for accurate information regarding the PCI Data Security Standards, particularly in the areas of defining terminology, scoping your cardholder data environment, properly navigating the compliance process, and providing interpretation, guidance, and advice on the best ways to satisfy the PCI compliance validation requirements faced by your organization. The PCI Discussion Forum is moderated by Tenable’s resident PCI subject matter expert who shares insights and lessons-learned from nearly ten years of experience as a Qualified Security Assessor (QSA). The forum allows our PCI Expert to share extensive knowledge and experience with the larger segment of the PCI Community that does not ordinarily have access to QSA experiences or insights.